Around 1.75 billion sensitive files were leaked by a Brazilian e-commerce integrator that provides services to some of the country's largest online shopping websites.
Hariexpress is headquartered in São Paulo and integrates multiple processes into a single platform to improve retailers' efficiency and operational capability with more than one e-commerce store. Some of the company's clients include Magazine Luiza, Mercado Livre, Amazon and B2W Digital. The national postal service, Correios, is also among the company's partners and was also impacted by the incident.
According to security researcher Anurag Sen at Safety Detectives, who discovered the leak in July 2021, the incident is attributed to a misconfigured and unprotected ElasticSearch server. It involves more than 610GB of exposed data. The researchers noted they were unsuccessful in their attempts to resume communication with the company after initial contact.
According to the experts, banking information relating to customers was not compromised; on the other hand, the leak exposed a vast set of sensitive information, including customers' full names, email addresses, business and residential addresses, company registration, and social security numbers.
In addition, all manner of details relating to purchases, including dates, times and prices of products sold, as well as copies of invoices and login credentials to the Hariexpress service, were also exposed, according to Safety Detectives. The researchers could not estimate the exact number of impacted users due to the amount of duplicate email addresses found in the exposed set of data. Still, it is estimated that several thousands of users were potentially affected by the leak.
Moreover, according to the researchers, it is not possible to tell whether other parties had access to the data. The experts warned that the data set, which contains information that directly identifies users of marketplaces integrated by the company, could be used in phishing and social engineering attacks. The report also warned about the potential for other types of crimes such as burglaries, as the data exposed includes residential and business addresses and extortion since the information also includes purchases of intimate products.
Contacted by ZDNet, the company did not respond to requests for comment. Brazil's National Data Protection Agency was also contacted for comment on the case and had not responded at the time of publication.